Over on Threatpost, Dennis Fisher has a story about a serious Java vulnerability that leaves users running any of the current versions of Windows open to simple Web-based attacks that could lead to a complete compromise of the affected system.

The flaw was disclosed publicly this week by two separate researchers. One of the researchers, Tavis Ormandy of Google, said he decided to go public when Sun declined to issue a prompt fix.

Google's Ormandy said the the toolkit provides only minimal validation of the URL parameter, allowing a malicious hacker to to pass arbitrary parameters to the javaws utility, which provides enough functionality via command line arguments to allow this error to be exploited.

"The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor," Ormandy explaned.

The issue affects all versions since Java SE 6 update 10 for Microsoft Windows. Disabling the java plugin is not sufficient to prevent exploitation, as the toolkit is installed independently.

Internet Explorer users can be protected by temporarily setting the killbit on CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA. To the best of my knowledge, the deployment toolkit is not in widespread usage and is unlikely to impact end users.

Mozilla Firefox and other NPAPI based browser users can be protected using File System ACLs to prevent access to npdeploytk.dll. These ACLs can also be managed via GPO.